OCR Updates Guidance on Use of Online Tracking Technologies

The use of online tracking technologies by HIPAA regulated entities continues to pose enforcement questions without clear answers.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently updated its guidance on the use of third-party tracking technologies, such as cookies and pixels, by HIPAA covered entities and business associates (“regulated entities”) and how the HIPAA Rules apply to the same.  

OCR’s original December 2022 guidance was aimed at addressing the risk of regulated entities disclosing protected health information (PHI) to tracking technology vendors. OCR issued the updated guidance in an effort to clarify when information collected by technology vendors may be considered PHI and to allow more flexibility to regulated entities in their dealings with the same. It also emphasized that OCR’s enforcement priority would be consideration of the HIPAA Security Rule.

Background and Original Guidance

In the aftermath of the U.S. Supreme Court’s June 2022 decision in Dobbs v. Jackson Women’s Health Organization that the U.S. Constitution does not confer a right to an abortion, OCR issued its original guidance ostensibly in an effort to protect the anonymity of patients seeking reproductive health care and in light of increasing scrutiny on the use of technologies for targeted advertising. The implications of the guidance, however, were much more sweeping.

As defined in the original guidance, third-party tracking technologies are tools deployed on websites or apps that collect information about users and their actions on the website or app. They are commonplace technologies that help website operators understand how users are accessing their sites and improve user experiences, as well as market and advertise their products or services. According to OCR, when these technologies are used on regulated entities’ websites and apps, depending on the technologies’ configurations and placement, the technology provider may end up collecting PHI. This, in turn, requires that regulated entities using the technology engage in practices that ensure compliance with HIPAA. 

The original guidance on these data elements was quite broad. Under the original guidance, OCR took the position that individually identifiable health information (IIHI) (which OCR indicated at the time might include a medical record number, email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifier) collected from a regulated entity’s website or app is “generally” PHI, even if the user does not have an existing relationship with the regulated entity at the time of collection and even if the IIHI does not include treatment or billing information. The guidance reminded regulated entities that the use of online tracking technologies to process PHI is not permitted under HIPAA unless pursuant to a business associate agreement (BAA) with the technology provider or a HIPAA authorization.

The original guidance, coupled with the Federal Trade Commission (FTC)’s increased enforcement against health platforms for use of online tracking technologies,[1] spurred OCR and the FTC to send a joint letter in July 2023 to over 130 regulated entities, emphasizing the risks of using tracking technology that may be impermissibly disclosing PHI and encouraging recipients to evaluate their practices and take steps to ensure compliance.  

The plaintiffs’ bar quickly followed suit, filing putative class actions against hundreds of regulated entities in state and federal courts across the country under state and federal wiretap statutes and various state statutory and common law privacy theories. State enforcement agencies have also increased similar investigations into regulated entities’ use of website tracking technologies.

In response to the breadth of OCR’s original guidance and implications for regulated entities, in November 2023, the American Hospital Association (AHA) filed a lawsuit against HHS and OCR, seeking to (i) enjoin the enforcement of the original guidance, (ii) set aside the definition of IIHI provided in the guidance, and (iii) declare the guidance definition of IIHI as a non-statutory and regulatory definition (generally referred to as the “AHA litigation”). Seventeen state hospital associations and thirty hospitals and health systems have filed briefs supporting the AHA in the AHA litigation. 

Summary of Changes

While OCR has retained the majority of its original guidance in the most recent update, OCR does make some key revisions summarized below.

• Clarifies what data elements constitute PHI. Under the updated guidance, OCR has clarified that not all information collected by website tracking technologies constitutes PHI. Instead, to constitute PHI, OCR has emphasized that the information must be related to an individual’s past, present, or future health, health care, or payment for health care. Thus, the mere fact that an online tracking technology associates a user’s IP address with a regulated entity’s website that addresses a health condition does not mean that this information is PHI.
• Explains when tracking technologies used on unauthenticated webpages could capture PHI and when they do not. OCR describes when collecting information about a user’s visit to an unauthenticated webpage may result in collection of PHI under certain circumstances. OCR states that visits to unauthenticated webpages do not result in a disclosure of PHI to a technology provider if the provider does not have access to information that relates to any individual’s past, present, or future health, health care, or payment for health care. Helpful to regulated entities, OCR now makes clear that information collected about a website visitor’s interactions with a webpage providing information about job postings or visiting hours does not involve a disclosure of an individual’s PHI to a technology vendor because this information is not indicative of an individual’s past, present, or future health, health care, or payment for health care. But, as to some unauthenticated pages, OCR takes the position that collection may constitute a disclosure. OCR provides new illustrations to attempt to show the difference. According to OCR, if a student visits a regulated entity’s oncology webpage for research purposes, information collected about the student’s visit to the webpage would not be PHI.  However, if another person visits the same webpage to seek a second opinion on a cancer diagnosis, information collected about the person’s visit to the webpage may be PHI, and OCR may find that the HIPAA Rules apply. While this appears to be an attempt to provide more flexibility for regulated entities, a determination as to whether the collected information is PHI is wholly dependent on a user’s intent, something regulated entities generally do not have visibility into. 
• Suggests relationship solutions for technology vendors that won’t sign BAAs. Under the updated guidance, OCR has suggested an alternative, intermediary solution for dealing with a technology vendor who will not sign a BAA: the regulated entity can establish a BAA with a Customer Data Platform vendor. The Customer Data Platform would then enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI. Subsequently, the Customer Data Platform vendor can disclose only de-identified information to tracking technology vendors. It is unclear how this arrangement would be a viable solution in the context of online tracking technologies that are largely premised on the collection of a unique identifier, a data element that would need to be removed to achieve de-identification.
• Emphasizes that compliance with the HIPAA Security Rule is OCR’s enforcement priority. The updated guidance adds that entities’ compliance with the HIPAA Security Rule “lower[s] the risk of unauthorized access to ePHI collected through a regulated entity’s website or mobile app[.]” Thus, OCR indicates that going forward it “is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.” It is unclear how this squares with the focus on impermissible uses and disclosures of PHI, which is a key component of the HIPAA Privacy Rule, under both the original and the updated guidance.   

Key Takeaways

The changes detailed above suggest that OCR will rely on the subjective intent of a website or app user to determine whether information collected by a tracking technology is PHI. How OCR will enforce this new subjective standard is yet to be determined and creates an added layer of compliance complexity for regulated entities. It is clear, however, that OCR’s enforcement in this area is a priority, particularly under the HIPAA Security Rule.  

Regulated entities should develop thoughtful practices that comply with the updated guidance and continue to evaluate tracking technologies on their websites and apps to confirm compliance and mitigate the risk of future inquiries and private litigation. Given OCR’s emphasis on enforcement of these practices under the Security Rule, regulated entities should take steps to ensure that the use of online tracking technologies is reviewed under the Security Rule requirements.  

Further Impact

In response to the changes, the AHA issued a statement: “The fact that [OCR] has modified its Bulletin in response to our lawsuit concedes that the original Bulletin was flawed as a matter of law and policy. Unfortunately, the modified Bulletin suffers from the same substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review. The modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need.”

While OCR’s updates seem to be in response to the AHA litigation, the effects of the updated guidance are likely to be farther reaching for other pending litigation. Specifically, the updated guidance may prove useful to the droves of regulated entities facing purported “wiretapping” claims should those cases reach the class certification stage. Indeed, litigants and courts alike have been citing OCR’s original guidance as part of the wave of “wiretap” litigation facing regulated entities. And now, the individualized, subjective questions presented by OCR’s updated guidance preview some of the hurdles to certification that plaintiffs bringing these lawsuits should face.

Carson Martinez, Associate, contributed to the drafting of this alert.

[1] For example, the FTC brought several actions last year against health companies in connection with the use of website tracking technologies. See FTC Brings First Enforcement Action of the Health Breach Notification Rule.